Red Hat Bugzilla – Bug 435101
awstats cron-script is not compatible with SELinux
Last modified: 2008-06-08 09:45:52 EDT
Description of problem:
The cron-script of awstats (/etc/cron.hourly/awstats) executes awstats like this:
exec perl /usr/share/awstats/tools/awstats_updateall.pl
But this is a problem with SELinux because a type transition cannot occur. To
solve this easily drop the "perl" command:
Now the cron-script runs under the type of the file
Additionally the SELinux readme is out of date because a SELinux policy for
awstats is already included (only for Fedora, RHEL will follow in the next
Created attachment 296048 [details]
Patch to remove "perl" from the cron-script
I'm sure you're right, because my SELinux knowledge is limited. However, could
you describe how to demonstrate this failing? If I run /etc/cron.hourly/awstats
on a machine with SELinux enabled, it doesn't seem to cause any obvious problems
- I don't see any SELinux errors and the stats update runs successfully.
(In reply to comment #2)
> I'm sure you're right, because my SELinux knowledge is limited. However, could
> you describe how to demonstrate this failing? If I run /etc/cron.hourly/awstats
> on a machine with SELinux enabled, it doesn't seem to cause any obvious problems
> - I don't see any SELinux errors and the stats update runs successfully.
I guess you are using SELinux targeted policy:
$ cat /etc/selinux/config | grep "^SELINUXTYPE"
The targeted policy is very relaxed and only secures several daemons like httpd,
samba and so on. Scripts running locally and therefor from cron are not
considered to be a security problem. This means they run under full access (type
unconfined_t) and do not cause any error messages or something like this.
If you are using the SELinux strict policy then you will definitely run into
some AVC errors. Simply install the strict policy by "yum install
selinux-policy-strict". But I would suggest to use a test environment for this
because it could break some daemons/apps or whatever.
The main problem with the cron script is that SELinux only does a type
transition if you do it programmatically or via an execve() call. The latter
isn't the case because you call "exec perl awstats.pl". This means that cron
(running as system_crond_t for the scripts) executes perl (which results in an
execve() call but /usr/bin/perl is labeled as bin_t) and in the end the awstats
script runs under system_crond_t. If you would simply left out the perl command
then the cron daemon would call the awstats.pl file directly resulting in an
execve() call and while the awstats.pl script is labeled as awstats_exec_t a
domain transition would occur.
I hope I could make it a little bit more clear.
awstats-6.7-3.fc8 has been submitted as an update for Fedora 8
Fix has been checked into CVS; new package will be built soon.
awstats-6.7-3.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update awstats'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2522
awstats-6.7-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Built in plague for EL-5 (job ID 38986)
The new version 6.7-2.el5 fixed the problem therefore I closed the bug.